When an organization decides change is on the horizon, the horizon comes in a little closer.
SecureIQLab was founded in 2019 to provide top-tier cloud validation services to enterprises, vendors, and governments to meet the rising need for cloud security. If we could have predicted how a global pandemic would change the trajectory and expansion of cloud security before our very eyes, we wouldn’t have believed it ourselves.
Testing 2.0
Testing cloud security is not a simple endeavor, neither from a scope nor a validation perspective. Given the complexities of different cloud providers and security technologies it became evident that we needed to get the feedback from organizations to understand the primary area or some key validation deficiencies that the industry was facing in terms of testing cloud security. Our foray into the world of Cloud Web Application Firewall was a resultant of this extended primary research.
After the release of our groundbreaking 2021 Cloud Web Application Firewall (WAF) CyberRisk Validation reports, which evaluated the efficacy of leading WAF products against a barrage of attacks and mapped them to Return on Security Investment, a metric which enterprises were often blindsided by.
Starting 2022, we created and published our enhanced WAF methodology 2.0, wherein the security efficacy and operational efficiency metrics continued as a focus of our tests. We subjected the WAFs to new challenges with additional attack vectors, emulating more advanced threat actors. Here are a few notable enhancements in our 2022 WAF CyberRisk Validation testing cycle.
False Positives:
A significant portion of data breaches are caused by web application vulnerabilities. Although WAFs can aid in preventing these incidents, proper tuning is required to maximize detection and minimize the false positives that disrupt business continuity and tax beleaguered IT professionals.
In the development of the WAF 2.0 methodology, expanded False Positive Avoidance test cases were added to better reflect the true Security Efficacy and Operational Efficiency of the validated solutions. What resulted was False Positive Avoidance Scores ranging from 81% to 100%. In a cyber security utopia, all would score 100% on False Positive Avoidance. Custom tuning may result in higher False Positive Avoidance scores. Blocking cyber-attacks is a minimum for WAFs, but false positives rates a key differentiator in determining which solution provides the best return on security investment.
Mapping to Frameworks and Standards
When securing networks and data, it’s imperative to comprehend the behaviors and tactics of adversaries. This knowledge is crucial for security teams to effectively detect, prevent, and mitigate intrusions. In this test cycle, we mapped attacks to leading regulatory requirements and frameworks. Mapping was performed by correlating test cases to MITRE ATT&CK®, PCI DSS, and the OWASP Top 10. By mapping test cases to proven frameworks and industry standards, IT professionals are further empowered to leverage test results to their specific requirements.
Vendor Collaboration
2022 saw an increase in vendor participation with the test cycle. Vendors and testers must work together to validate test results and improve the security ecosystem. The Anti-Malware Testing Standards Organization (AMTSO) has validated the need for this approach. Communication between vendors and testers opens improves the quality of testing and products alike at an accelerated rate. We’re happy to report that vendors provided greater input and improved communication than previously, Improved communication in 2022 resulted in the following improvements for cybersecurity customers:
- Improved product documentation
- Additional security features
- Enhanced product offerings
Increased communication led to and will continue to lead to richer testing and better products.
What’s on the Horizon Cybersecurity 2023
Testing
2023 will see the introduction of eXtended Detection and Response (XDR), Secure Service Edge (SSE), cloud-based endpoint, and Advanced Cloud Firewall (ACFW) public testing. Additionally, as we move forward with testing based on the SecureIQLab WAF 3.0 methodology, we are expanding our infrastructure and enhancing our toolset to provide more comprehensive test cases. Proof of concept attacks around API and DDoS security are currently underway.
Edge computing
While cloud computing is around running workloads within the cloud infrastructure, edge computing is becoming ubiquitous at the edge. As we go into 2023 and beyond, we see its application impacting our daily life from parsing the data on convenient IoT devices such as the wearables on our wrist, to more critical devices in our smart grids, or for the monitoring of oil rigs etc…
Edge computing security will be instrumental in enhancing privacy protections and data security while reducing operational costs. Edge devices will also have enhanced tie-ins and support for AI/ML applications focusing on reliability and compliance metrics.
Passwords
There’s never a time to stop talking about passwords. Approaches to multifactor authentication (MFA) will reduce reliance on passwords. Helping enterprises and consumers alike on the impact of MFA and how it will play an integral part in the future of Cybersecurity.
Cyber Insurance
In April of this year, we invited Vincent Weafer to amplify the discussions surrounding cyber insurance on Reining in the Cloud (Cyber Insurance in the Time of Crisis), the current insurance outlook, and what CISOs need to understand about resource allocation to apply cyber insurance to security structures. Security stakeholders must ensure that both threat mitigation and cyber insurance are considered when developing risk management strategies. Continuing increases in the volume of attacks and their financial impact will step-up attention around and adoption of cyber insurance. Additionally, the increases in the costs of breaches will result in a significant rise of premiums.
Nation-State Security
An honorary nod to a couple of major cyber security events that shaped this past year and shined a light on national and global security; you might remember Conti’s attack on Cost Rica (Conti Ransomware), the continuous monitoring of the ongoing Russia-Ukraine conflict, or various nation-states throughout the world facing not only civil unrest but increasing cyber-attacks against critical infrastructure. The dynamic nature of these attacks emphasizes the necessity for protection across critical infrastructure with strong security teams to back them.
Conclusion
As we wrap up a successful year of change and expansion, we recognize that with growth comes challenge. There is, however, no better moment than now to validate security processes, evaluate current systems and truly assess what is working and what changes are necessary for growth. For organizations, the risks are high, but the evaluation of risk is worth the reward.
Until next year,
SecureIQLab, LLC